On Mon, Sep 28, 2020 at 02:35:04PM +0200, Greg Kurz wrote: > When the IOTLB device is enabled, the vring addresses we get from > userspace are GIOVAs. It is thus wrong to pass them to vq_access_ok() > which only takes HVAs. The IOTLB map is likely empty at this stage, > so there isn't much that can be done with these GIOVAs. Access validation > will be performed at IOTLB prefetch time anyway. > > BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1883084 > Fixes: 6b1e6cc7855b ("vhost: new device IOTLB API") > Cc: jasowang@xxxxxxxxxx > CC: stable@xxxxxxxxxxxxxxx # 4.14+ > Signed-off-by: Greg Kurz <groug@xxxxxxxx> > --- > drivers/vhost/vhost.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index b45519ca66a7..6296e33df31d 100644 > --- a/drivers/vhost/vhost.c > +++ b/drivers/vhost/vhost.c > @@ -1509,7 +1509,10 @@ static long vhost_vring_set_addr(struct vhost_dev *d, > * If it is not, we don't as size might not have been setup. > * We will verify when backend is configured. */ > if (vq->private_data) { > - if (!vq_access_ok(vq, vq->num, > + /* If an IOTLB device is present, the vring addresses are > + * GIOVAs. Access will be validated during IOTLB prefetch. */ > + if (!vq->iotlb && > + !vq_access_ok(vq, vq->num, > (void __user *)(unsigned long)a.desc_user_addr, > (void __user *)(unsigned long)a.avail_user_addr, > (void __user *)(unsigned long)a.used_user_addr)) OK I think you are right here. Jason, can you ack pls? However, I think a cleaner way to check this is by moving the following check from vhost_vq_access_ok to vq_access_ok: /* Access validation occurs at prefetch time with IOTLB */ if (vq->iotlb) return true; >